-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.08 AUSCERT Advisory
Solaris 2.x CDE sdtcm_convert vulnerability
24 February 1997
Last Revised: --
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
Solaris 2.x Common Desktop Environment (CDE) sdtcm_convert utility.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
- ---------------------------------------------------------------------------
1. Description
sdtcm_convert(1) is a calendar data conversion utility which converts
between version 3 and version 4 calendar data formats.
During the execution of sdtcm_convert, files are modified with root
privileges in an insecure manner. By manipulating the files that
sdtcm_convert is accessing, local users may change the ownership of
arbitrary files on the system. This may be leveraged to gain
root privileges.
sdtcm_convert is part of the Solaris 2.x Common Desktop Environment
(CDE) Applications package, SUNWdtdst. Sites can determine whether
the SUNWdtdst package is installed with the command:
% pkginfo -l SUNWdtdst
The long listing (-l) from pkginfo will also give the version of the
CDE package installed.
The default location for sdtcm_convert is /usr/dt/bin/sdtcm_convert.
2. Impact
Local users may be able to change the ownership of arbitrary files
on the system. This may be leveraged to gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Sun Microsystems which
address this vulnerability (Section 3.1).
Until the patches recommended by Sun Microsystems can be applied,
AUSCERT recommends that sites limit the possible exploitation of this
vulnerability by immediately removing the setuid permissions as stated
in Section 3.2.
3.1 Install vendor patches
Sun Microsystems has released security patches which address the
vulnerability described in this advisory. AUSCERT recommends that
sites apply these patches as soon as possible.
Patches have been released for:
CDE version Patch MD5
~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1.0.1 sparc 103671-02.tar.Z abb42a75b89c16e085d0f8811eeede10
1.0.2 sparc 103670-02.tar.Z e9f8f34deaaf215ff5f5b632bf0d45ea
1.0.1 x86 103718-02.tar.Z cebb82a95592392359f5206fe2a63ed1
1.0.2 x86 103717-02.tar.Z 18fe28c03abdf118b647fd347261089e
Sites with SunService Contracts may obtain these patches through
their local SunSolve Online server.
For sites without a SunService Contract, the above security patches
may be retrieved from:
ftp://sunsolve1.sun.com.au/pub/outgoing/
Note that this site is currently the only public area where these patches
are available.
3.2 Remove setuid permissions
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid permissions be removed
from sdtcm_convert immediately. As the sdtcm_convert program will no
longer work for non-root users, it is recommended that the execute
permissions also be removed.
For example:
# ls -l /usr/dt/bin/sdtcm_convert
-r-sr-sr-x 1 root daemon 285700 Feb 24 12:20 /usr/dt/bin/sdtcm_convert
# chmod 500 /usr/dt/bin/sdtcm_convert
-r-x------ 1 root daemon 285700 Feb 24 12:20 /usr/dt/bin/sdtcm_convert
4. Additional measures
Most Unix systems ship numerous programs which have setuid or setgid
privileges. Often the functionality supplied by these privileged
programs is not required by many sites. The large number of privileged
programs that are shipped by default are to cater for all possible
uses of the system.
AUSCERT encourages sites to examine all the setuid/setgid programs
and determine the necessity of each program. If a program does not
absolutely require the setuid/setgid privileges to operate (for
example, it is only run by the root user), the setuid/setgid
privileges should be removed. Furthermore, if a program is not
required at your site, then all execute permissions should be removed.
A sample command to find all setuid/setgid programs is (run as root):
# find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \;
It is AUSCERT's experience that many vulnerabilities are being
discovered in setuid/setgid programs which are not necessary for the
correct operation of most systems. Sites can increase their security
by removing unnecessary setuid/setgid programs.
For example, the functionality provided by the sdtcm_convert program
is not needed by many sites. If sites had previously disabled
sdtcm_convert, they would not have been vulnerable to this latest
exploit.
- ---------------------------------------------------------------------------
AUSCERT thanks Marko Laakso (University of Oulu) for his initial report,
continued assistance, and technical expertise crucial in the production of
this advisory. Thanks also to CERT/CC, DFN-CERT and Sun Microsystems for
their help in this matter.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMxG+fyh9+71yA2DNAQEjSwP/WdzzIz1abitnf+DSwPTCjCBVQAVNlsiG
N9uim1D+beFSAOOnZ2fqaXxmMXOEDeXpqlVUAWZNbJL7LkfpJPAnMU/8sZdLzY+U
SGQt0tV1JFsn5tCeTz+mCD/dgejdSnOYa3L2/65Sg/XXVLPWFc1N4jMVd8iAvK9i
pM6V1v4fcoY=
=mbcK
-----END PGP SIGNATURE-----